Anti-Spam & Rate Limiting Rules

Apoyo automatically protects your public-facing support widget, Help Center, and Feedback Board from bot spam, malicious payloads, and AI quota exhaustion. These protections run entirely in the background and require no configuration.

Key Features

• IP-Based Rate Limiting: Restricts the number of actions a single user (IP address) can take within a one-minute window to prevent API abuse.
• Workspace Fair Use Protection: Safeguards your account from massive traffic spikes. Apoyo intelligently manages your AI model usage to ensure your widget stays online without generating surprise overage bills.
• Payload Sanitization: Automatically strips malicious HTML and enforces strict character limits on public form submissions (like forum posts) to prevent Stored XSS attacks.
• File Validation: Uses "Magic Byte" validation to ensure users cannot spoof file types when uploading attachments.
• Anti-Enumeration: Silently drops duplicate lead capture submissions to prevent bad actors from flooding your external CRM webhooks.

How to Use

Because these are automated security measures, there are no toggles or settings to manage in your dashboard. However, it is important to understand how these limits affect your end-users if they interact with your portals too quickly:

Chat & Ticketing Limits

• Premium Plan Fair Use (AI Messages): Workspaces on the Premium plan ($19/month) include up to 10,000 high-performance AI messages per month using our most advanced model (gpt-5.4-nano). If your workspace exceeds 10,000 messages in a single billing cycle, Apoyo will automatically transition your widget to the standard gpt-5-nano model. This ensures your website visitors experience zero downtime and you are never charged unexpected overage fees.
• Live AI Chat: End-users are limited to sending 10 messages per minute to the AI agent.
• Offline Tickets: End-users are limited to submitting 3 support tickets per minute.
• File Uploads: End-users can upload a maximum of 5 files per minute.

Feedback Board Limits

• New Posts: Users are limited to creating 10 posts per minute. To prevent database bloat, post titles are strictly capped at 150 characters, and descriptions are capped at 3,000 characters.
• Upvoting: Users are limited to casting 20 upvotes per minute on the public board.

Help Center Limits

• Article Feedback: When users click the helpful/unhelpful emojis (😃 😐 😞) at the bottom of a Help Center article, they are limited to 5 feedback actions per minute to prevent rating manipulation.

Important Notes & Pro Tips

• Seamless Model Fallback: When a Premium workspace hits the 10,000 message limit, the fallback to the standard AI model happens instantly and silently. Your website visitors will not see an error message or experience any lag in response times.
• Error Messages: If a user exceeds any of the per-minute rate limits listed above, the system will block the action and display a polite “Too many requests. Please try again later.” error message in their widget or portal.
• Strict File Security: When users upload attachments in the chat, Apoyo doesn't just check the file extension. It reads the raw file buffer (Magic Bytes) to verify the file is genuinely a JPEG, PNG, GIF, PDF, DOC, or DOCX. Malicious files disguised with fake extensions are automatically blocked. All uploads have a strict 5MB size limit.